Cross-Site Request Forgery (CSRF)

Root Cause Summary

A vulnerable application processes a transaction using an existing session, without verifying that the transaction was intended to be initiated by the user and not a malicious 3rd-party site. CSRF is also known as Session Riding or Confused Deputy.

Browser / Standards Solution

Generic

None

Framework Solution

None

Perimeter Solution

None

Generic Framework Solution

Automatically generate and check tokens for all POST requests by default, following the Synchronizer Token Pattern with configuration-based exclusion list for transactions which must not or need not be protected against CSRF. Disallow state changes via GET requests, enforcing RFC.

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

CSRF tokens will be made obsolete by a browser/standards solution that allows a site owner to specify which external web sites are allowed to initiate transactions. The current HTTP specification by design allows any web site to initiate POST requests to any other web site on the behalf of its users. Default deny for cross-domain writes will likely never pass standards review. Even policy files to control cross-domain writes are strongly disfavored.